It has been observed that substantial portions of an operating system kernel, including portions of the kernel's data, should not be changed after some milestone (e.g. after the kernel is loaded). In addition, the operating system may complete a set of initialization routines which determine a number and features of CPUs and memory regions present in a system. In many cases, those data structures should not change after initialization. Changes to these regions in memory after passing milestones are often due to either implementation errors or malicious attacks. Preserving the integrity of a running kernel is vital for maintaining system security.
Applications executed on a computer system rely on the operating system kernel to manage resources and enforce boundaries. Basic protection of the kernel is typically provided by distinguishing the execution of trusted kernel code from user-space by a processor supervisor bit and then enforcing memory protection through paging and segmentation. Further, protections such as read/write protections are provided in the page table architecture of processor memory sub-systems. However, in current page tables read/write and other permissions are maintained by the operating system. Consequently, a compromised operating system can change the read-only permission to read-write and then write to the protected memory regions. A single vulnerability in the kernel code, or an act of misplaced trust granting elevated permissions, may enable execution of hostile code in supervisor mode, which would render the computer system compromised. Additionally, since an operating system operates on virtual addresses, it is not sufficient to maintain protections only on physical pages. If protections were only on physical pages, an attacker could remap virtual addresses to unprotected pages.